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Abstract 

This paper documents some of the evolutionary steps in developing a rigorous Space Shuttle launch 
abort capability. The paper addresses the abort strategy during the design and development and 
how it evolved during Shuttle flight operations. The Space Shuttle Program made numerous 
adjustments in both the flight hardware and software as the knowledge of the actual flight 
environment grew. When failures occurred, corrections and improvements were made to avoid a 
reoccurrence and to provide added capability for crew survival. Finally some lessons learned are 
summarized for future human launch vehicle designers to consider. 


Nomenclature 


AOA 

= Abort Once Around 

ATO 

= Abort to Orbit 

ET 

= External T ank 

FSW 

= Flight software 

ISS 

= International Space Station 

MECO 

= Main Engine cutoff 

OFT 

= Orbiter Flight Test Program 

OMS 

= Orbiter Maneuvering System 

RCS 

= Reaction Control System 

RTLS 

= Return to the Landing Site 

SOFT 

= Suborbital Flight Test Flight 

SSME 

= Space Shuttle Main Engine 

TAL 

= Transoceanic Abort Landing 

TPS 

= Thermal Protection System 

TVC 

= Thrust vector control 

WTR 

= Western Test Range 


I. Introduction 

T he Space Shuttle was intended to be a reusable launch vehicle. However the national budget could not support 
that large of an initial investment required for the design and development of a fully recoverable and reusable 
vehicle. Therefore a compromise design (Fig. 1.) was selected with an expendable external propellant tank that 
lowered development cost and corresponding increase in the operations cost. The Orbiter was designed for up to 100 
flights and a 10 year life; the Solid Rocket Boosters and Motors were recovered after every launch and refurbished 
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for a future flight. The External Tank (ET) was expendable and a new one built and flown on each flight. Space 
Shuttle Main Engines (SSME’s) were extensively checked and test fired before being reused. This resulted in 
approximately the same cost over the twenty-five year operating life but with a level and more affordable annual 
budget. With this framework, added frills for enhanced abort features were not affordable during the initial design. 
The intent was to design a robust and reliable vehicle that could accommodate a safe return with the loss of a single 
main engine. Two crew ejection seats were provided during the Orbital Flight Test program to protect for design 
surprises (infant mortality). Aborts resulting from other or additional failures would require the flight crew or 
ground assist to return the crew and vehicle. This required many hours of training for both the crew and ground 
controllers to expedite these aborts successfully. The safe recovery of the crew was based on training that used the 
inherent capabilities of the Space Shuttle. Once the ejection seats were no longer available and as the mission 
requirements increased, added abort capability was needed and had to evolve during shuttle operations. 

This paper addresses some of the key abort improvements that have been made over the life of the Space Shuttle 
program that have improved crew safety and reduced risks. Beyond the designed margins of safety and redundancy, 
the hardware and flight software have been modified with the increasing challenges for the existing Space Shuttle 
vehicle (Ref #1). As the performance grew so did the entry and landing weights, requiring structural beef up and 
software changes to stay within specified design limits (Ref #3). These were needed to carry larger payloads, 
increases in orbital inclination and altitude, large assembly tasks and to fly longer missions. Additional contingency 
sites were added to support changing ground tracts increasing available emergency runways. Most required flight 
software changes for additional targets and supporting navigational aids. As flight risks were identified and better 
understood improvements were made to mitigate the risk, the largest were those following the Challenger accident. 
In addition, all Shuttle abort work was coordinated with the Eastern Range Safety Offices at Patrick AFB. 

Finally lessons learned are summarized that should help future human spaceflight and launch vehicle designs. Most 
importantly is automating aborts wherever possible and verifying the flight software and flight sequences for all 
planned flight environments (Ref #2) including the aborts. The abort design is never complete, one should always 
monitor the flights and identify ways to improve the abort capability and maximize crew safety. 
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Figure 1. Space Shuttle 


II. Abort Design Philosophy 

The design philosophy for the Space Shuttle was added robustness, with a 1.4 factor of safety, and sufficient flight 
hardware and software redundancy to minimize the need for aborts. Also crew ejection seats and a backup flight 
computer and software were added to cover major design flaws and infant mortality concerns. Selected flight design 
missions were developed to bound the flight conditions and define the environments that the Space Shuttle was 
expected to operate in for the Shuttle design and development. Four reference missions were defined: two launched 
from the east coast, a due east launch for maximum performance and a high inclination flight for a possible space 
station orbit, and two from the west coast, both polar orbit military missions. The latter two military missions 
required a high cross range and auto land capability. 

A crew return capability following the loss of one of the Shuttle main engines was a design requirement. Other 
design requirements for added cross range, auto land and SSME throttle up capability provided margin for abort use 
and uncertainties. Contingencies resulting from the loss of additional main engines or unexpected failures were 
covered by exhausted crew training, crew procedures and mission rules. Onboard computer limitations required 
most of the abort determination be performed on the ground in the Mission Control Center (MCC). The flight 
control team and the flight crew trained together during integrated simulations for every Shuttle flight. The teams 
become proficient in failure recognition and abort execution. These simulations and Shuttle avionics integration 
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testing added confidence that the flight software worked and interfaced with the flight hardware for each mission 
configuration. 

The intact aborts following the loss of a single engine were an automated design feature; while the contingency 
aborts, for all other failures, were mostly flown manually by the crew with ground assistance. The recovery and a 
safe return for the contingency aborts were developed using the inherent capabilities of the Shuttle vehicle and not 
always certified. Flight software was added to allow proper sequencing through the necessary flight phase modes- 
powered flight, separation and entry; but the structure and flight control capabilities could not be certified for all the 
possible abort scenarios. Continued analysis throughout the life of the program significantly improved the 
certification for the more likely abort cases. These studies supported some hardware modifications and regular flight 
software improvements were made for increased crew safety. 

III. Launch Abort Modes 

The original ascent design for the Shuttle was to shape the launch trajectory such a continuous abort capability 
existed for the loss of a main engine from liftoff to the planned main engine cutoff (MECO). A return to the landing 
site (RTLS) abort capability would exist up until an abort once around (AOA) capability was achieved. The first 
Shuttle launch was the only Shuttle launch that was flown with this abort shaping. Shaping the ascent to force the 
RTLS and AOA aborts together was a significant launch performance penalty, approximately 6000 lbs. Therefore 
subsequent Shuttle launches were shaped for maximum payload to orbit. This nominal shaping opened up an abort 
capability gap between the last RTLS and earliest AOA. A down range abort, trans-ocean abort landing (TAL), was 
added to fill the gap. Because this was an added capability after the Shuttle was designed it was called a contingency 
abort until it was certified later in the program. 

The intact abort modes are summarized on fig. 2-4 and the coverage on fig. 5: 
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A. The RTLS has the most differences from the normal Shuttle profiles flown each mission. First because it 
returns the Shuttle’s Orbiter to the KSC landing site, it requires a powered flight pitch around maneuver to 
kill off the down range velocity and add sufficient velocity for the Orbiter to glide back to the Cape. This 
maneuver provides a gross control for using up the propellant in the ET, SSME throttling is the fine control 
necessary to deplete the propellant prior to separating the ET (less than 2% required for separation). This 
separation is the most critical maneuver for the RTLS (highest risk) because it is significantly different than 
the normal ET separation. After the powered pitch down maneuver and MECO, it requires an assist from 
both the RCS jets and from the aerodynamics to achieve a safe separation. To establish the correct velocity 
for the Orbiter’s return and meet the tight dynamic pressure constraints for separation the altitude has to be 
high enough causing it to be considerably off the desired equilibrium glide slope for a normal descent. This 
means the Orbiter is failing in like a rock and a 50 degree angle of attack (the highest required in the 
program) is needed to avoid breaking the wings off and sufficient control margin to capture the normal 
entry trajectory without an excessive phugoid during pullout. Once on the normal glide slope the return is 
much like the normal entry. 

B. TAL aborts are much closer to the normal Shuttle flight profdes and once it was certified it was preferred to 
RTLS when an overlap occurred. These aborts were far enough down range that near normal ET separation 
and entry could be performed. The largest concern was with the ET rupturing close to the Orbiter during 
the descent. Surprisingly the ET had a more violent rupture than anticipated resulting in a fairly large 


5 


AIAA SPACE 2011 Conference & Exposition 
26 - 29 Sep 2011, Long Beach, California 


AIAA 2011-1072113 


envelope of debris the Orbiter had to avoid to make a safe entry. Two things were required to provide 
sufficient separation distance between the ET and Orbiter prior to rupture: first rolling the Shuttle during 
ascent to condition the ET thermally to delay rupture and second was to adjust the TAL MECO target 
conditions to achieve an adequate separation distance between the vehicles (this sometimes required 
delaying the earliest TAL). Another difference was because the TAL sites were selected primarily for 
location to the ascent ground track, they didn’t have as long of a runway or the navigation aids desired for 
landing. To compensate for these deficiencies runway barriers were later added and additional NAV aids 
and ground support were provided for the specific missions. 

C. The AOA is the least likely abort mode because the improvements in the abort to orbit (ATO) with 
deorbiting opportunities early in the flight have about the same capability as the AOA except for when the 
performance is below normal on the earliest abort times. A time critical contingency abort would be a more 
likely requirement for AOA. 

D. The ATO is the preferred abort option whenever that capability exists. It continues the ascent with the two 
remaining SSME’s and inserts in a safe orbit giving time to assess the situation and schedule a normal 
return to a primary landing site or continue the planned mission. This was the only intact abort performed 
in the program on STS-51F following an erroneous engine shutdown from a faulty sensor reading. There is 
a press to MECO (PTM) abort mode which can occur late enough in the launch to continue the normal 
mission with no degradation. 
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Figure 3. Shuttle Intact Aborts: Transoceanic Abort Landing (TAL) Profile 
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Figure 4. Shuttle Intact Aborts: Transoceanic Abort Landing (TAL) Profile 
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Figure 5. Shuttle Ascent Abort Profile 
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IV. Major Program Milestones 

There have been major milestones, planned and unplanned, in the life of the shuttle program that provided 
opportunities or mandated abort improvements. The following discusses some of the more prominent events: 

A. Pre-Shuttle Launch 

Prior to launching the Space Shuttle’s Orbiter vehicle into space an ALT program was conducted, separating the 
Enterprise off the 747 and landing the Orbiter on a runway at the EAFB to insure the Orbiter could land safely. 
A surprise happened during the transfer of Columbia from the builder on the west coast to the launch site at 
KSC, many of the Orbiter thermal protection ceramic tiles fell off during the ferry flight. This raised a major 
concern- should the TPS tiles fall off during launch the Orbiter would not be able to survive the heat of entry. 
Actions were taken to review and improve the tile bonding process. A backup plan was to change the first 
Shuttle flight to a suborbital flight test (SOFT) in case tiles fell off during the first stage the Orbiter could return 
without being thermally stressed. Finally improvements in tile attachment and extensive testing provided the 
confidence to proceed with the planned launches without a suborbital flight. 

B. Orbital Flight Test Program 

The Orbital Flight Test (OFT) Program was the initial checkout phase for Shuttle launches. Conservatism and 
data collection were the key objectives for the first four flights. As mentioned earlier, crew ejection seats for the 
first four flights added a crew escape capability for surprises or an unexpected design flaw. The OFT program 
provided sufficient flight information to verify the models used to conduct a commit-to-flight activity prior to 
each launch and to refine the crew procedures and mission rules needed for operations. It also provided the 
confidence to disable the crew ejection seats (later to be removed) and add additional crew members. 

C. Shuttle Operations 

Shuttle operations were where improvements started in earnest. First major mods to the FSW were initiated to 
support the expanded mission requirements and to add and improve on the basic capabilities used to support the 
test program. Software updates were routinely scheduled through a FSW control board and updated on a 
priority need and available skills. All updates were verified, tested and used in the flight design prior to each 
mission. Changes were needed early on for additional performance to meet increasing payload demands. As 
payload weights increased the abort landing weights rapidly exceeded the design requirements. To reduce the 
landing weights software sequencing logic was added to dump residual fluids/propellants during the abort that 
had not been used because of the early termination. These dumps were normally during the abort after MECO 
and sometimes during entry were not standard ops for the propellant tanks, feed lines, etc. Therefore dumps 
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could only be performed during limited orientations and gravity loads and not all fluids could be expelled. All 
requiring added certification and testing. 

The next change was going to a higher inclination (i=57deg.) on STS-9. This change resulted in a new ground 
track and over flight during ascent requiring new northerly abort landing sites for TAL (Fig. 6). It also 
introduced additional contingency abort landing sites along the East coast that could improve the chances for a 
landing on a runway for certain failures that would have been water ditches for the more easterly launches 
previously flown. This was followed by the deletion of the OMS-1 maneuver on STS-1 1, going from a standard 
insertion to a direct insertion. The change saved OMS propellant, which was critical for that mission but moved 
the normal ET impact zone from the Indian to the Pacific Ocean. The OMS burn deletion required a higher 
MECO velocity increasing the ATO likelihood for an abort over an AOA. 



A major design activity was conducted preparing for Shuttle launches on the West coast from Vandenberg 
AEB. Though not flown due to new program directions following the Challenger accident, a lot of design work 
and analysis was done. The launch abort environments were significantly different than those for the East coast 
launches and required a lot of changes for the aborts. Therefore the launch aborts for the initial WTR launch 
were designed to be benign with considerable margin. Instead of returning to the runway at Vandenberg AFB, 
the RTLS was designed to return to Edwards AFB where the lakebed offered multiple runway choices for 
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surprises. This introduced a problem with an unacceptable ET disposal on land following MECO. A dogleg 
trajectory was inserted to steer the ET out in the Pacific Ocean prior to MECO to avoid disposal on a populated 
area. Then bank the Orbiter to glide in to EAFB. It also required adding a more up range TAL site (Easter 
Island) to avoid an abort gap. A major complication for the planned WTR launches was carrying the Centaur 
upper stage and its propellant in the Shuttle cargo bay. These required adding and certifying a new propellant 
dump system to dump these propellants prior to landing for the aborts. Though these WTR missions were never 
flown the analysis performed added greatly to the knowledge base and was very helpful in follow on Shuttle 
work. 

D. Challenger (5 1L) 

The one event that had the most impact on abort changes was the return-to-flight work following the Challenger 
accident on STS-51L. Three significant areas were addressed: 1). Develop a bailout capability, 2). Certify the 
intact aborts and 3). Eliminate the black zones (the loss of crew following a second main engine failure). Lots of 
other changes happened also but the paper will address these three. 

Several design changes were added to support crew bailout. First the hatch was redesigned to facilitate easy and 
fast egress for the total crew. A pole was added for the crew to slide out on to clear any recontact with the 
Orbiter. Changes were made to the flight suit that protected for decompression in case of an abort. These 
features added a capability for the crew to bailout during a stable glide over trying to survive ditching the 
Orbiter in the Ocean. 

As mentioned earlier intact aborts following the loss of a single main engine was a certified design requirement 
for the Shuttle. However the TAL aborts were added after the design phase and were not fully certified. Prior to 
returning the Shuttle to flight after the accident the TAL aborts were fully certified and acceptable runways and 
navigation aids were provided. Once certified and had a profile similar to normal Shuttle separation and 
descent, TAL aborts became preferable over the RTLS abort for non-time critical aborts. 

Also mentioned earlier that not a lot of work was done on contingency aborts - failures beyond the loss of one 
main engine. The Shuttle aborts are defined as the vehicle has a problem with Space Shuttle Main Engine 
(SSME) or the critical subsystems/systems that require to abort its mission. Depending on a level of 
survivability of the crew and vehicle, three zones (green, yellow, and black) for the abort are developed. The 
green zone is defined as the vehicle and crew is completely recoverable (reach to a landing site). The yellow 
zone is defined as the crew may be bailed out from Orbiter. A black zone is defined as a vehicle loss of control/ 
structural failure that could lead to non-recovery or an uncontrollable vehicle and a death of its crew. 

The abort with 1 SSME-out is an intact abort that is referred as a green zone for the ascent phase. The abort 
with 2 or 3 SSME-out is referred as contingency abort (Ref #4). The contingency abort may be in green, yellow, 
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or black zone. Prior to the challenge accident (STS-51L), most of the black zone occurred for 2 or 3 SSME’s 
out during ascent phase. 

Key philosophies to minimize the black zone are to detect a failure as soon as possible and train a crew to fly 
critical maneuvers to control vehicle including a quick separation of the Orbiter from the stack. Shuttle 
engineers used engineering tools to develop manual crew procedures and flight software to minimize the black 
zones. Then, both crew and engineers used the Shuttle Engineering Simulation (SES) to validate crew 
procedures for 2 or 3 engine-out scenarios before they were implemented into the Space Shuttle missions. In 
addition, the engineers also developed tools to be used by the flight controller to evaluate abort options and 
predict a vehicle ground impact point. Both crew and flight controllers were trained how to identify off-normal 
operational situation of the Shuttle systems and select appropriate procedures to fly vehicle to a landing site or 
control vehicle in the stable condition so the crew can bail out. 

The key flight software packages were developed and implemented after 51L to reduce black zone are: 

1. The second SSME-out recognition flight software 

2. The Automation of the NZ hold phase during the Entry phase, abort propellant dump logic, and Transoceanic 
Abort Landing (TAL) droop logic 

3. The expansion of a landing site table in the flight software to cover additional east-coast landing sites. 

Below ( figs. 7 & 8) are a black zone comparison of the contingency abort capability between pre sts-51L 
(1986) and post 2000. 
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Figure 7. Contingency Abort Capability - Pre STS- 51L (1986) 
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Figure 8. Contingency Abort Capability - Post 2000 


E. Shuttle Upgrades 

After the return-to-flight and Shuttle operations were progressing reasonably well. Shuttle upgrades were 
reconsidered. The plan was twofold, first was to improve the Shuttles operating efficiency and flight rates to 
significant reduce the operating cost and second to add safety improvements to raise the Shuttle reliability. The 
goal was to extend Shuttle to 2020 or beyond but due to budget pressures the operations efficiencies were the 
first to go- not being mandatory and we could fly without them. Work on the safety improvements went along a 
while longer. The program considered some significant improvements including an advance cockpit for added 
situation awareness, a new TVC system for the SRB’s, advanced SSME health management, a new more 
sustainable fuel cell, new landing gear and tires were the major ones. Though most of these upgrades were 
developed, all but a couple were canceled once the decision to retire the Space Shuttle was made. The first 
phase of the SSME health management, to shutdown an SSME if it exceeded a engine vibration constraint and 
the new tire were implemented. 

The SSME with high throttle was also certified to minimize the exposure for RTLS and TAL aborts. 
Particularly, the SSP also implemented the RTLS ET/Orbiter separation software change to reducing a risk of 
loss of control and Orbiter/ET recontact. 
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F. International Space Station 

Once the assembly for the International Space Station (ISS) was initiated additional Shuttle payload weight was 
required to launch the larger ISS elements. This increased the abort weights beyond the certification limits for 
the RTLS separation and entry. New MECO targets and descent profiles were developed and certified. Now 
with assembling the ISS being the primary task, improvements in the automatic rendezvous and docking were 
key. Also with the many EVA’s required for assembly many crew safety features were added like eliminating 
share edges that could damage space suits and gloves during space walks. Drag on cables were used to provide 
extra power to the Shuttle for extending ISS stay times to accomplish more tasks while the Shuttle was docked 
to the ISS. Once the ISS was manned and could support a large crew the station became a safe haven for the 
crew if an Orbiter became damaged and not safe for entry. 

G. Columbia (STS- 107) 

The Columbia accident on STS-107 was probably the deciding factor for the Shuttle termination. The major 
finding from the accident review board was to understand and eliminate the source of debris during Shuttle 
ascents. Added modifications and inspections during the ET build process and during the launch was the major 
focus which added additional cost. Inspections to the Orbiter after launch, at the ISS and prior to entry were 
added to avoid an unsafe return. As mentioned above, provisions for the ISS to provide a safe haven for the 
crew were added as well as adding a rescue Shuttle on standby if needed. 
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V. Lessons Learned 

Many lessons can be learned from the development and evolution of the aborts during the Space Shuttle Program: 

1. Include aborts as part of the launch/crew vehicle design and development 

2. Identify and protect for the likely failure modes 

3. Know the vehicle limitations and add design margin 

4. Keep abort paths close to normal flight 

5. Provide a crew escape capability 

6. Automate aborts and abort determination 

7. Provide the crew situation awareness 

8. Test the flight hardware 

9. Verify the flight software for all expected flight environments 

10. Maintain a strong commit-to flight process 

11. Explain all flight anomalies 

12. Train for the unexpected 

13. Provide sufficient ground support for flight status, abort confirmation and replanning 

14. Improve planning tools with flight data 

15. Update abort capabilities and perform necessary verification for all changes 

16. Provide provisions for modular updates for new capabilities 

VI. Conclusions 

In conclusion, the abort capabilities evolved throughout the life of the Space Shuttle program as changes 
occurred. There was a lot of learning as we went along; in hindsight more planning for upgrades and for 
automation would have helped keep systems more current. The shuttle abort capabilities were significantly 
improved along with added vehicle certification for the planned aborts. More importantly, improvements in 
training, crew procedures, situation awareness, and mission rules all led to much safer flights. Crew safety and a 
safe Orbiter return were maximized for the loss of a single main engine and crew survivability was significantly 
improved for multiple engine failures. 
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